In light of the recent news reports of the take over of the Command and Control servers for the Gameover Zeus botnet - and the potential resurgence of CryptoLocker. I thought it may be a good idea to publish this case study about just how devastating it can be if you find yourself a victim of it.
Back in November 2013, we were contacted by a company, at 5pm on a Friday, who said they had received a notification that all their files had been encrypted by a program calling itself 'CryptoLocker' and that they had to pay a ransom in order to get their files back. We agreed that we would come and look at the issue in the morning.
Tick-Tock
What they neglected to tell us was that CryptoLocker had given them a time limit, and that this had in fact happened a couple of days ago. By the time we got there, we had just under an hour to figure out what could be done about it, after which CryptoLocker said it was going to delete the encryption key it had used, and the files would be permanently encrypted.
To make matters worse, we couldn't be sure that they had usable backups as they didn't seem to have any administrator credentials that would grant us access to the server.
Given these two facts, our initial recommendation was that they paid the ransom in the hope that CryptoLocker would do exactly what it claimed, and they would have their files back.
Pay Up or Lose Your Files Forever?
Now, CryptoLocker is a pretty scary example of this particular breed of malware (known as ransomware) in that it does actually do what it claims to have done.
When your machine is compromised by CryptoLocker it scans it (and every drive it can reach - this is an important fact I will get back to later) for specific file extensions (mainly important things like Office documents, Outlook Personal Folders, images, etc.) and then encrypts any it finds using industry-standard encryption.
CryptoLocker's use of real-world, proven encryption technology makes it impossible to mount a brute-force attack in an attempt to recover the key used (unless you happen to have a few supercomputers lying around) and therefore leaves you with two options: restore your files from a recent backup, or pay the ransom.
Needless to say, this particular client wasn't about to hand over £300 to some nameless criminal in the hope that they could get their files back - they said they had backups and that those were unaffected.
Upon finally gaining access to the server to check those backups, we discovered it had failed to back up anything for the last week, so their most recent backup of all their encrypted data was from the previous Friday.
Had this backup not existed, I would say that this particular company may have found it difficult to re-create all the compromised files from scratch.
Mapped Network Drives and CryptoLocker
CryptoLocker will encrypt files it finds on any drive it can access and, as this particular company found out, that includes shared folders on other machines that you have 'mapped' as drives on your machine.
Now, access permissions should protect any files on those drives from being overwritten - assuming they have been set correctly, but any files that the affected user can modify will be encrypted by CryptoLocker.
That, in essence, is what happened to this company: one user opened an e-mail attachment that put CryptoLocker on their laptop, which then quickly found and encrypted all the files on the company's network shares that this user had access to.
It Only Takes One
This company's data was rendered un-usable in a matter of minutes through the actions of one employee. Their lack of understanding about what a phishing e-mail looks like, and how to properly deal with one cost the company lost productivity, revenue and a lot of money to put right.
Had all staff at this company had even a basic level of security awareness training chances are, even though their anti virus was out of date, CryptoLocker would never have been able to gain a foothold within the company, and their data would have remained safe.
What Can You Do?
If you're worried that you may not have a usable backup of your important data, make one now. You currently have two weeks in which the National Crime Agency, and other law enforcement agencies around the world expect there to be no threat from CryptoLocker.
Use this time to make sure that your computers are up to date, and that your backups work how you expect them to. You really don't want to find yourself a victim of CryptoLocker without a recent backup.
Keep Your Backups Safe
Once you have made a backup, disconnect the backup device from your computer. If you fall victim to CryptoLocker with the backup device still attached, it is likely to render it useless.
It is best to keep any backups off-site, so that if anything happens to your office, you still have a backup of your data in a safe location.
Educate Your Staff
You may have the most advanced security systems on the planet, but they are useless if an attacker can convince an employee on the inside to give them what they want.
Teaching your staff about security threats is your most cost-effective option. Turn your biggest security weakness into your company's greatest asset in the fight against cyber crime, and you'll be less of a target.
Audit Your Access Controls
If your users have access to shared network files, make sure that they only have the permissions they need. Giving your staff too much access to shared data could put your entire company at risk should a new member of staff fall victim to CryptoLocker.
Verifying that your staff only have the permissions they need will help you ensure that your important data is kept safe.
We're Here to Help
If you need more advice on how to properly ensure that your company is protected from threats like CryptoLocker, we are here to help.
We can provide you with a detailed analysis of just how vulnerable your systems may be to any potential attack, and give you advice on how to ensure that minimal disruption is caused should you actually fall victim to something like CryptoLocker.
We are also more than happy to come in and run a training session about CryptoLocker for your staff, so they know what to look out for.
If you would like to speak to us about any of this, please do not hesitate to contact us.